3/16/2023 0 Comments Polymail for android![]() ![]() If health information that you maintain or use is acquired by someone else without the affected person’s approval, it’s an unauthorized acquisition under the Rule. How those terms are defined is important: The Rule requires that you provide notice when there has been an unauthorized acquisition of unsecured PHR identifiable health information. WHAT TRIGGERS THE NOTIFICATION REQUIREMENT For example, if a vendor of personal health records hires your company to provide billing, debt collection, or data storage services related to health information, you’re a third party service provider, and covered by the Rule. Your business is a third party service provider if it offers services involving the use, maintenance, disclosure, or disposal of health information to vendors of personal health records or PHR related entities. Your company is not a PHR related entity if you’re already covered by HIPAA. For example, a company that offers a fitness tracker is likely a PHR related entity if it sends information to health apps (which are likely personal health records, as described above). ![]() Your business is a PHR related entity if it interacts with a vendor of personal health records either by offering products or services through the vendor’s website – even if the site is covered by HIPAA – or by accessing information in a personal health record or sending information to a personal health record. You’re not a vendor of personal health records if you’re covered by HIPAA. Your business is a vendor of personal health records if it “offers or maintains a personal health record.” A personal health record is defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” For example, if you develop a health app that collects information from consumers and can sync with a consumer’s fitness tracker, you’re probably a vendor of personal health records. a third party service provider for a vendor of PHRs or a PHR related entity.a vendor of personal health records (PHRs).Is your business covered by the Health Breach Notification Rule? Do you know your legal obligations if you experience a security breach? WHO'S COVERED BY THE HEALTH BREACH NOTIFICATION RULE An FTC Policy Statement makes clear that makers of health apps, connected devices, and similar products must comply with the Rule. In addition, the FTC enforces the Health Breach Notification Rule, which requires certain organizations (both businesses and nonprofits) not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. The Federal Trade Commission (FTC), the nation’s consumer protection agency, enforces Section 5 of the FTC Act, which prohibits companies from misleading consumers or engaging in unfair practices that harm consumers. Does that mean this sensitive health information doesn’t have any legal protections? Not at all. But many companies that collect people’s health information – whether it’s a fitness tracker, a diet app, a connected blood pressure cuff, or something else – aren’t covered by HIPAA. For most hospitals, doctors’ offices, and insurance companies, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of health records stored online. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |